Accelerating
Bliss
: the geometry of ternary polynomials
L´eo Ducas
University of California, San Diego [email protected]
Abstract
The signature scheme Bliss proposed by Ducas, Durmus, Lepoint and Lyubashevsky at Crypto’13, is currently the most compact and efficient lattice-based signature scheme that is provably secure under lattice assumptions. It does compare favourably with the standardized schemes RSA and ECDSA on both Software and Hardware.
In this work, we introduce a new technique that improves the above scheme, offering an acceleration factor up to 2.8, depending on the set of parameters.
Namely, we improve the unnatural geometric bound used in Bliss to a tighter and much more natural bound by using some extra degree of freedom: the ternary representations of binary challenges. Precisely, we efficiently choose a ternary representation that makes the result deterministically shorterthan theexpected length for a random challenges.
Our modified scheme Bliss-bis rather close to the original scheme, and both versions are compatible. The patch has been implemented on the Open-Source Software implementation of
Bliss, and will be released under similar license.
1
Introduction
Lattice based cryptography [Ajt96, AD97], has received a lot of attention in the last decade, mostly for theoretical interest. First for security: lattices enjoy worst-case hardness properties and seem resistant to quantum attacks. Later, lattices have shown exceptional versatility, allowing new constructions such as the breakthrough result of Gentry [Gen09] for Fully Homomorphic Encryption. On the practical side, lattice-based cryptography has long been apromisingalternative to RSA and discrete-log cryptography. Indeed, the use ofalgebraic lattices [Mic02] can boost many lattice-based constructions as already noticed in the late 90’s for the construction of the NTRU Encryption scheme1 [HPS98]. While efficient lattice-based encryption has quickly found satisfactory solutions, lattice-based signatures have been more problematic: the natural lattice trapdoor leaks some secret information [NR06, DN12]. It is only in 2008 that provably secure solutions to prevent such leakage have been found [GPV08, Lyu09].
Both solutions were originally not so practical, and could only be proved secure in the random-oracle model. Despite several efforts [SS11, DPL14] the hash-then-sign approach of [GPV08] is indeed quite slow for signatures in practice. But the trapdoors of [GPV08, MP12] remain useful for more advanced constructions such as attribute based encryption [CHKP12, GVW13, DPL14] or to avoid relying on random oracles [Boy10, DM14] when building signatures.
1
On the other hand, the Fiat-Shamir with aborts approach of Lyubashevsky [Lyu09, Lyu12, GLP12, DDLL13, BG14, PDG14, MBDG14] has demonstrated very good performances. In par-ticular, the recent scheme Bliss has proved to compete with the standardized signature schemes
RSA and ECDSA both on software and hardware [DDLL13, PDG14]. Nevertheless, Bliss seems
to have room for improvements, both at the implementation level2 and at the design level.
In particular, there is a geometric constantCused to bound the length of certain vectors during the execution of Bliss. Because of the abort technique, this constant C has a direct impact on
the overall speed of the protocol. Experiments suggest that this bound should not be much larger that 1: over 20000 random challenges, C = 1.1 is sufficient with some margin. Yet we need this bound to hold for all keys and all challenges, for which Ducaset al. [DDLL13] could only prove, a constantC∈[1.5,1.9] depending on the parameter set.
1.1 This work
The problem. The speed of Blissis related to the `2 norm of the productScwhere the matrix S is the secret key and c the challenge vector. More precisely, one requires a bound kSck ≤ B, independent of the secret keyS∈ S in order to avoid leaking information on the secret keyS while signing. This bound dictates the running time of theBlisssigning procedure: the main loop needs
to be repeatedM =eB2/2σ2 times on average3, and M is called the repetition rate. Therefore any improvement on this bound kSck ≤ B directly leads to an acceleration of Bliss without altering
the rest of the scheme.
The set of challengesBnκ is the set of binary vector with exactlyκentries equal to 1, in particular
we have kck=√κ. Quite naturally one could bound kSck by s1(S)· kck wheres1(S) denotes the
singular norm (a.k.a. the spectral radius) of S. Unfortunately the singular norm of S is quite larger in the ring setting than in the standard setting: for ternary entries {0,±1} with density δ
of ±1 entries, we expect s1(S) ≈
√
δn√logn in the ring setting against s1(S) = Θ(
√
δn) without ring structure (see Section 2.3). This √logn factor may seem anecdotal in theory but is quite relevant in practice: in the design of Bliss a lot of effort was done to cut such corners, pushing
the proof of concepts [Lyu09, Lyu12] to an actual, practical scheme, competing with standardized cryptography [DDLL13, PDG14].
To improve on such a bound, Ducaset al.[DDLL13] exploit the binary structure of the challenge vector c and discuss the Gram matrix of the secret matrix G = StS. In practice, rejecting a reasonable (up to 90%) proportion of secret keys S during key generation depending on G they obtain the provable guarantee that kSck ≤ Cδ√nκ for any c ∈ Bnκ, where the value C varies
between 1.5 and 1.9 fromBliss-0 toBliss-IV. While this is much better than the singular norm
bound (in practice measured to be around 5), this is still quite far from 1.
Our solution. The introduction of the bimodal trick in [DDLL13] had a small drawback com-pared to previous similar constructions [Lyu09, Lyu12, GLP12]: the challenge vector c inherently became a modulo 2 object, and it was no longer possible to increase the entropy by using coefficients in{0,±1}rather than {0,1}.
Nevertheless, it does not restrict us to using the canonical binary representation c0 ∈ Zn of
c ∈ Zn2, in particular one may negate at will individual coordinates of c0 at the beginning of the
2
The open source software implementation [DL] does not use vectorized operations (MMX/SSE) for the Number Theoretic Transform. Pseudo random number generation could also benefit from AES instructions.
3
response phase, as long as the bound on kSc0k is preserved. And in fact, choosing an appropriate representationc0 may give a smaller result. We propose a simple algorithm that efficiently compute the product v = Sc0 for some c0 ≡ cmod 2 such that kSc0k ≤ kSk ·√κ (where kSk denote the largest norm among the columns ofS). This result is optimal considering the case where S would have perfectly orthogonal rows.
Results. Using the technique above, we are able to remove the unnatural constant C∈[1.5,1.9] and replace it by 1. We propose a variant Bliss-b of Bliss, with similar set of parameters but
for the rejection rateM, which is improved by a factor from 1.4 to 3.4. We have implemented our modification on the open-source implementation [DL]. Due to additional algorithmic efforts, the speed-up in practice is slightly less than what is predicted by the rejection rate. Our modification also speeds-up the key generation by a factor 5 to 10. Our patch will be made available under the terms of the original CeCILL license.
Organization. The rest of the paper is organized as follows. In Section 2 we give the necessary preliminaries on the construction of Bliss. Then, in Section 3 we present the efficient sign choosing
algorithm and prove the associated bound on the product kSc0k. We conclude with Section 4 by detailing the modification to obtain the new scheme Bliss-b: the algorithmic modifications, the
new parameters, and the comparative benchmarks.
2
Preliminaries
Notations Lower-case bold letters will denote column vectors overZ, and upper-case bold letters will denote matrices. The norm k · k notation refers to the euclidean norm for vectors. For a matrix M = [m1. . .mk] ∈ Z`×k, the norm kMk refers to the maximal norm among its columns: kMk = maxikmik. We note B for the binary set {0,1}, and Bnκ denotes the set of vectors of n
binary coordinates with exactly κ coordinates set to 1: Bnκ ={c∈Bn|kck1 =κ}. For such binary
vectors c∈Bn
κ, we define the indicator set Ic={i|ci 6= 0}.
2.1 The Cyclotomic Ring
As several prior constructions [LMPR08, LPR10],Blissrelies on a power of 2 cyclotomic ring: we
let nbe a power of 2 defining the (2n)th cyclotomic polynomial Φ2n(X) =Xn+ 1 and associated
cyclotomic ringR=Z[X]/(Xn+ 1). Those rings have convenient geometric properties, and allows very efficient Number Theoretic Transform for well chosen modulusq. We also writeRq=R/(qR)
for the residue ring of R modulo an integer q. Elements in R have a natural representation as polynomials of degreen−1 with coefficients in Z, andR can be identified (as an additive group) with the integer latticeZn, where each ring elementa=a0+a1x+. . .+an−1xn−1∈ Ris associated
with the coefficient vector a= (a0, . . . , an−1)∈Zn.
The ring R is also identified with the sub-ring of anti-circulant square matrices of dimension
n by regarding each ring element r ∈ R as a linear transformation x 7→ r·x over (the coefficient embedding) of R.
Prover Verifier
Secret KeyS∈ R2×1, short A·S=q mod 2q A= [a, q−2]∈ R1×2 2q
(S∈Z2n×n) (A∈
Zn2q×2n)
Commit
Sampley←Dσ2n
Compute u=A·ymodq −−−−→u
Challenge
c
←−−−− Sample c∈Bnκ
Compute z=y±Sc Response
Abort except with proba
1−Dσ2n(z)/M·Dσ2n(z±Sc) −−−−→z Accept ifkzk is small and Az=u+qc, Accept
Figure 1: Blissas a Σ-protocol
2.2 The original Bliss
The full description of Bliss is given in Appendix A, for our purpose we require only a simplified
description of the scheme. It is designed using the so-called Fiat-Shamir paradigm [FS86] with an extra abort step as introduced in [Lyu09] to prevent leaks of secret information. The scheme can be described as a Σ-protocol (a 3-round identification protocol). It is then transformed into a signature scheme by replacing the challenge generation step by a call to a hash function (modelled as a Random Oracle) to generate the challengec. The Σ-protocol associated toBlissis described
in Figure 1. In this description,D2σndenotes the discrete gaussian distribution of covarianceσ2·Id
in dimension 2n.
The repetition rate is set to M =e1/(2α2) and the correctness of the rejection sampling (which is required by the security proof) is ensured if for all challengesc∈Bn
κ,σ ≥α· kSck. This article
focuses on the improvement of the bound onkSck, hoping to increase the parameterαand therefore accelerating the whole scheme with minimal modifications. Modifying other parameters (σ, δ, . . .) one could trade this speed improvement for compactness or security, but that would be a more substantial alteration of Bliss. Modifying onlyα and M does preserve the whole security claims
of [DDLL13], as well as the optimized CDT tables precomputed in [PDG14].
The original bound. Let us recall how such bound is established in [DDLL13]. Let Gdenotes the Gram matrix associated to the secret key S∈ S: G=St·S. The bound used in Blissfollows
from rewriting
kSck2=ctGc=X
i∈Ic X
j∈Ic
Gi,j
(we recall that Icis the indicator set of c, defined byIc={i|ci = 1}). Such sum can be bounded
independently of c:
kSck2 ≤N
κ(S) whereNκ(S) = max
I⊂{1,...,n}
#I=κ
X
i∈I
max
J⊂{1,...,n}
#J=κ
X
j∈J
Gi,j
Name of the scheme Bliss-0 Bliss-I Bliss-II Bliss-III Bliss-IV
Security Toy 128 bits 128 bits 160 bits 192 bits Optimized for Fun Speed Size Security Security Signature size 3.3kb 5.6kb 5kb 6kb 6.5kb
dimension n 256 512 512 512 512
α .5 1 .5 .7 .55
κ 12 23 23 30 39
Secret key Nκ-Threshold C 1.5 1.62 1.62 1.75 1.88
Repetition rate M 7.39 1.65 7.39 2.77 5.22
Table 1: Selected parameters of Bliss
Out of the setS0 of all sampleable secret keys (see Alg. 3 in Appendix A), some will be rejected, restricting the set of keys to S = {S ∈ S0|Nκ(S) ≤ B}. This ensures the bound kSck2 ≤ B
independently of both the choicesS∈ S andc∈Bnκ =Bnκ.
Original parameter. The (relevant) parameters of Bliss are given in Table 1 (a full table is
given in Appendix A). The Nκ-thresholdC defines the ratio between the bound on kSck and its
expected value kSk · kck ≈ p5· dδne ·κ (δ denotes the density of ±1 among the ternary entries {0,±1}of the secret key S). That is, the set of acceptable secret keys inBlissis defined as
S ={S∈ S0|Nκ(S)≤C2·5dδne ·κ}
for some set S0 implicitly defined in the Key Generation algorithm (Alg. 3).
2.3 Asymptotics of various geometric bounds
For the sake of this discussion we may drop the parameter δ and consider that the coefficients of
S are uniformly randomly chosen from{±1}. We here detail the argument behind the asymptotic claims made during the introduction.
Singular norm, non-Ring setting. The spectral theory of random matrices [Ver10] ensures thats1(S) = Θ(
√
n) with overwhelming probability. This would lead to a constantC= Θ(1).
Singular norm, ring setting. Let us drop, for the sake of this discussion the binary structure of the secret and the challenge. Consider two polynomialss, c∈ R=R[X]/Φ2n(X) where sis drawn
with spherical gaussian distribution in the coefficient representation (s =P
fjXj, fj ← χ). Now
consider the complex representation (a.k.a. the Fourier transform ofs) ˆsof s(ˆsj =s(eπ(2j+1)ı/n)),
we remind that the Fourier transform is a scaled orthogonal map: kxˆk = √n· kxk. Because in the complex embedding multiplication occurs component-wise, that isscb = ˆsˆc, we conclude that
s1(s) = ksˆk∞. We expect from order statistic theory kˆsk∞ = O( √
nlogn) as the maximum of n
many Gaussian of variance √n (see [Roy82]). This would lead toC=O(√logn).
The Nκ-norm, Ring Setting. A small modification of the proof of [DDLL13, Prop. 4.1 of the
full version] can establish that
Nκ(S)≤(5dδne+ 1)κ+κ2
√
with overwhelming probability. Note that the only constraint onκis thatc←Bn
κ has at least Θ(n)
bits of entropy, requiringκ≥Θ(n/logn). If the second term were negligible one would be able to chooseC = 1 +o(1). While it is not asymptotically negligible, this second term remains reasonably small for the parameter of Bliss explaining why the constantC could be chosen as small as 1.5.
3
The Sign Choices algorithm and its Geometry
As detailed in the introduction, we will exploit ternary representation in Zn of challenge vectors modulo 2, by individually negating some coordinates of the binary vector c in order to greedily minimize the norm of kSck. More specifically, we rely on the identity:
ka+bk2 =kak2+kbk2+ 2ha,bi (1)
which implies that eitherka+bk2 orka−bk2 is less than kak2+kbk2. Precisely,
ka−ςbk2 ≤ kak2+kbk2 whereς = sgn(ha,bi)∈ {±1} (2)
where the sign function takes (arbitrarily) the value 1 on input 0.
Algorithm 1:GreedySC(S,c), The Greedy Sign Choices Algorithm.
Input: a matrixS= [s1. . .sn]∈Zm×n and a binary vectorc∈Bnκ
Output: v =Sc0 for somec0 ≡cmod 2 such that kSc0k2 ≤ kSk2· kck2 =kSk2·κ.
1: v←0∈Zm
2: for i∈ Ic do
3: ςi←sgn(hv,sii)
4: v←v−ςi·si
5: end for
6: returnv
Theorem 1(Correctness of the Greedy Sign Choices Algorithm). On inputsS∈Zm×nandc∈Bnκ,
the algorithm outputs v=GreedySC(S,c) such that v=Sc0 for some ternary vector c0 ≡cmod 2
and
kSc0k2≤ kSk2· kck2 =kSk2·κ.
Proof. We prove an invariant of the for-loop of GreedySC, assuming the set Ic is visited in some fixed order. We consider the subset Jk ⊂ Ic of indexes i that have been visited afterk steps and set
c0k=−X
i∈Jk
ςi·ei (ei ∈Zn being the i-th canonical unit vector).
We will prove the following invariant: c0k is a ternary vector such that Ic0
k = Jk and vk = S·c
0
k
verifies kvkk2 ≤ kSk ·k. It is trivially verified for k = 0. For the induction, first decompose
Jk+1 =Jk∪ {i}where i∈ Ic\ Jk. Following inequality (2) we derive:
kvk+1k2 ≤ kvkk2+ksik2≤ kSk2·k+kSk2 ≤ kSk2·(k+ 1).
We conclude that the output v=vκ =Sc0κ verifies kvk2 ≤ kSk2·κ and thatc0 =c0κ is a ternary
Efficiency. One may note the algorithm is not technically running in quasilinear time: it requires
O(mκ) integer additions, where m = 2n and κ = Ω(n/logn) to ensure that c ← Bn
κ contains at
least Θ(n) bits of entropy. Yet in practice the parameter κ is quite small (at most κ= 39 against
n = 512 for Bliss-IV) making the sparse subset-sum algorithm to compute Sc faster than the
Number Theoretic Transform based algorithm, especially considering that the entries ofSare quite small. The implementation [DL] of Blissindeed use a 64-bits vectorized subset-sum algorithm with
8-bits chunks.
Still, this new algorithm will be substantially slower: we need twice as many operations because of the added inner product, and those require computing with larger numbers. We need to be careful to avoid making this part of the algorithm way too costly in practice. The following vectorization should be enough to keep the cost ofGreedySCmuch smaller than the Gaussian sampling ofy1,y2
and the NTT product a1·y1.
Vectorized Implementation with 16-bits chunks. For the parameters of Bliss, we always
have kSk∞ ≤ 5 (see Algorithm 4 in Appendix A) which guarantees that kvk∞ ≤ 5κ ≤ 195 during the whole algorithm: the entries of v can definitely be stored as 16-bit signed integers. Additionally, any partial sum during the computation of hv,sii must be less in absolute value
thanm=kvk · kSk ≤ kSk2·√κ. For all parameter sets
Bliss-0toBliss-IVone easily checks that m is much less than 215. The whole GreedySC can therefore benefit from vectorized instructions
with 16-bits signed chunks.
4
The modified scheme and instantiations
4.1 Modifications of the scheme
We define a modified version Bliss-b of the scheme Bliss from [DDLL13]. The modifications to
the original scheme are listed below:
• We remove the constantC and the ad-hoc normNκ from the definitions
• A constant
Pmax=
(5dδ1ne+ 5)·κ ifδ2= 0
(5dδ1ne+ 20dδ2ne+ 9)·κ otherwise
is defined (syntactic sugar). The output productSc0=GreedySC(S,c) verifieskSc0k2 ≤P max
sincekSk2= 5(dδ
1ne+ 4dδ2ne) + 4g0+ 1.
• Line 3 of Algorithm 3 is removed: keys are no longer rejected during Key Generation.
• The Signature algorithm (Algorithm 4) is replaced by Algorithm 2, described below.
Algorithm 2:ModifiedBlissSignature Algorithm
Input: Messageµ, public keyA= (a1, q−2)∈ R21q×2, secret keyS= (s1,s2)t∈ R22×q1
Output: A signature (z1,z†2,c) of the messageµ
1: y1,y2 ←DZn,σ
2: u=ζ·a1·y1+y2mod 2q
3: c←H(buedmodp, µ)
4: (v1,v2)←GreedySC(S,c)
5: Choose a random bitb
6: (z1,z2)←(y1,y2) + (−1)b·(v1,v2)
7: Continue with probability 1
.
Mexp
−k2vσk22
cosh
h
z,vi
σ2
otherwise restart
8: z†2←(bued− bu−z2ed) modp
9: Output (z1,z†2,c)
4.2 New parameters and benchmarks
We left all parameters related to security unmodified, so that the security claims of [DDLL13] are preserved, our modifications only affect the efficiency of the scheme. we recall that the rejection rate is defined as M = exp(1/(2α2)). The new value of α is given by α = σ/Pmax. We obtain
a theoretical speed-up ranging from 1.4 to 3.4 as detailed in Table 2. The Key Generation is also accelerated by a factor 5 to 10 since secret keys are not rejected according to Nκ anymore.
Our implementation conforms to those predictions considering a small slowdown related to the added cost of the greedy algorithm: the actual speed-up factor varies from 1.2 (Bliss-bI) to 2.8
(Bliss-bII). Table 3 compares the running time of Blissand Bliss-b.
Scheme Bliss-b0 Bliss-bI Bliss-bII Bliss-bIII Bliss-bIV
Security Toy 128 bits 128 bits 160 bits 192 bits Optimized for Fun Speed Size Security Security Signature size 3.3kb 5.6kb 5kb 6kb 6.5kb
dimensionn 256 512 512 512 512
α .748 1.610 .801 1.216 1.027
Repetition rate M 2.44 1.21 2.18 1.40 1.61
Predicted Speed-up ×3.0 ×1.4 ×3.4 ×2.0 ×3.3
Table 2: Parameters of the modified scheme Bliss-b
Scheme Bliss-0 Bliss-I Bliss-II Bliss-III Bliss-IV
Sign Run Time 256µs 154µs 520µs 240µs 419µs
Scheme Bliss-b0 Bliss-bI Bliss-bII Bliss-bIII Bliss-bIV
Sign Run Time 108µs 128µs 185µs 146µs 167µs
Speed-up ×2.4 ×1.2 ×2.8 ×1.6 ×2.5
Backward and Forward compatibility. Signatures are both backward and forward compat-ible, that is signature generated using Bliss-bwill also be valid for Bliss and reciprocally, since
both schemes are corrects and have the same verification algorithm. Secret keys are only forward compatible, that is secret keys generated byBlisscan be used inBliss-band do benefit from the
speed-up as well. Yet secret keys generated by Bliss-bshould not be used inBliss: the condition σ≥α· kSck may not always hold leading to information leakage.
Acknowledgements
The authors wish to thank V. Lyubashevsky, T. Lepoint, and J.C. Deneuville for helpful comments. This research was supported in part by the DARPA PROCEED program and NSF grant CNS-1117936. Opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of DARPA or NSF.
References
[AD97] Mikl´os Ajtai and Cynthia Dwork. A public-key cryptosystem with worst-case/average-case equiv-alence. In29th ACM STOC, pages 284–293. ACM Press, May 1997.
[Ajt96] Mikl´os Ajtai. Generating hard instances of lattice problems (extended abstract). In28th ACM STOC, pages 99–108. ACM Press, May 1996.
[BG14] Shi Bai and Steven D. Galbraith. An improved compression technique for signatures based on learning with errors. In Josh Benaloh, editor,CT-RSA 2014, volume 8366 ofLNCS, pages 28–47. Springer, February 2014.
[Boy10] Xavier Boyen. Lattice mixing and vanishing trapdoors: A framework for fully secure short signatures and more. In Phong Q. Nguyen and David Pointcheval, editors, PKC 2010, volume 6056 ofLNCS, pages 499–517. Springer, May 2010.
[CHKP12] David Cash, Dennis Hofheinz, Eike Kiltz, and Chris Peikert. Bonsai trees, or how to delegate a lattice basis. Journal of Cryptology, 25(4):601–639, October 2012.
[DDLL13] L´eo Ducas, Alain Durmus, Tancr`ede Lepoint, and Vadim Lyubashevsky. Lattice signatures and bimodal gaussians. In Ran Canetti and Juan A. Garay, editors,CRYPTO 2013, Part I, volume 8042 ofLNCS, pages 40–56. Springer, August 2013.
[DL] L´eo Ducas and Tancr`ede Lepoint.A Proof-of-concept Implementation of BLISS. Available under the CeCILL License athttp://bliss.di.ens.fr.
[DM14] L´eo Ducas and Daniele Micciancio. Improved short lattice signatures in the standard model. In Juan A. Garay and Rosario Gennaro, editors, CRYPTO 2014, Part I, volume 8616 of LNCS, pages 335–352. Springer, August 2014.
[DN12] L´eo Ducas and Phong Q. Nguyen. Learning a zonotope and more: Cryptanalysis of NTRUSign countermeasures. In Xiaoyun Wang and Kazue Sako, editors,ASIACRYPT 2012, volume 7658 ofLNCS, pages 433–450. Springer, December 2012.
[DPL14] Leo Ducas, Thomas Prest, and Vadim Lyubashevsky. Efficient identity-based encryption over ntru lattices. 2014. To be Published at Asiacrypt 2014.
[Gen09] Craig Gentry. Fully homomorphic encryption using ideal lattices. In Michael Mitzenmacher, editor,41st ACM STOC, pages 169–178. ACM Press, May / June 2009.
[GLP12] Tim G¨uneysu, Vadim Lyubashevsky, and Thomas P¨oppelmann. Practical lattice-based cryptog-raphy: A signature scheme for embedded systems. In Emmanuel Prouff and Patrick Schaumont, editors,CHES 2012, volume 7428 ofLNCS, pages 530–547. Springer, September 2012.
[GPV08] Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. In Richard E. Ladner and Cynthia Dwork, editors, 40th ACM STOC, pages 197–206. ACM Press, May 2008.
[GVW13] Sergey Gorbunov, Vinod Vaikuntanathan, and Hoeteck Wee. Attribute-based encryption for circuits. In Dan Boneh, Tim Roughgarden, and Joan Feigenbaum, editors, 45th ACM STOC, pages 545–554. ACM Press, June 2013.
[HPS98] Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman. NTRU: A ring-based public key cryp-tosystem. InAlgorithmic Number Theory – Proc. ANTS-III, volume 1423 ofLecture Notes in Computer Science, pages 267–288. Springer, 1998.
[LMPR08] Vadim Lyubashevsky, Daniele Micciancio, Chris Peikert, and Alon Rosen. SWIFFT: A modest proposal for FFT hashing. In Kaisa Nyberg, editor, FSE 2008, volume 5086 of LNCS, pages 54–72. Springer, February 2008.
[LPR10] Vadim Lyubashevsky, Chris Peikert, and Oded Regev. On ideal lattices and learning with errors over rings. In Henri Gilbert, editor, EUROCRYPT 2010, volume 6110 of LNCS, pages 1–23. Springer, May 2010.
[Lyu09] Vadim Lyubashevsky. Fiat-Shamir with aborts: Applications to lattice and factoring-based signatures. In Mitsuru Matsui, editor, ASIACRYPT 2009, volume 5912 of LNCS, pages 598– 616. Springer, December 2009.
[Lyu12] Vadim Lyubashevsky. Lattice signatures without trapdoors. In David Pointcheval and Thomas Johansson, editors,EUROCRYPT 2012, volume 7237 ofLNCS, pages 738–755. Springer, April 2012.
[MBDG14] Carlos Aguilar Melchor, Xavier Boyen, Jean-Christophe Deneuville, and Philippe Gaborit. Seal-ing the leak on classical ntru signatures. InPost-Quantum Cryptography, pages 1–21. Springer, 2014.
[Mic02] Daniele Micciancio. Generalized compact knapsacks, cyclic lattices, and efficient one-way func-tions from worst-case complexity assumpfunc-tions. In43rd FOCS, pages 356–365. IEEE Computer Society Press, November 2002.
[MP12] Daniele Micciancio and Chris Peikert. Trapdoors for lattices: Simpler, tighter, faster, smaller. In David Pointcheval and Thomas Johansson, editors,EUROCRYPT 2012, volume 7237 ofLNCS, pages 700–718. Springer, April 2012.
[NR06] Phong Q. Nguyen and Oded Regev. Learning a parallelepiped: Cryptanalysis of GGH and NTRU signatures. In Serge Vaudenay, editor,EUROCRYPT 2006, volume 4004 ofLNCS, pages 271–288. Springer, May / June 2006.
[PDG14] Thomas P¨oppelmann, L´eo Ducas, and Tim G¨uneysu. Enhanced lattice-based signatures on reconfigurable hardware. In Lejla Batina and Matthew Robshaw, editors,CHES 2014, volume 8731 ofLNCS, pages 353–370. Springer, September 2014.
[SS11] Damien Stehl´e and Ron Steinfeld. Making NTRU as secure as worst-case problems over ideal lattices. In Kenneth G. Paterson, editor, EUROCRYPT 2011, volume 6632 of LNCS, pages 27–47. Springer, May 2011.
[Ver10] Roman Vershynin. Introduction to the non-asymptotic analysis of random matri-ces. CoRR, abs/1011.3027, 2010. http://www-personal.umich.edu/~romanv/papers/ non-asymptotic-rmt-plain.pdf.
A
Full Description of Original Bliss and parameters
Algorithm 3:BlissKey Generation
Output: Key pair (A,S) such thatAS=qmod 2q
1: Choosef,gas uniform polynomials with exactlyd1=dδ1neentries in{±1}and d2=dδ2neentries in
{±2}
2: S= (s1,s2)t←(f,2g+ 1)t // Implicitly defining the setS0
3: ifNκ(S)≥C2·5·(dδ1ne+ 4dδ2ne)·κthenrestart
4: aq = (2g+ 1)/f modq(restartiff is not invertible)
5: Output(A,S) whereA= (2aq, q−2) mod 2q
Algorithm 4:BlissSignature Algorithm
Input: Messageµ, public keyA= (a1, q−2)∈ R12×q2, secret keyS= (s1,s2)t∈ R22×q1
Output: A signature (z1,z†2,c) of the messageµ
1: y1,y2←DZn,σ
2: u=ζ·a1·y1+y2mod 2q
3: c←H(buedmodp, µ)
4: Choose a random bitb
5: z1←y1+ (−1)bs1c; z2←y2+ (−1)bs2c
6: Continuewith probability 1. Mexp−kSc2σk22
coshhzσ,Sc2 i
otherwiserestart
7: z†2←(bued− bu−z2ed) modp
8: Output(z1,z†2,c)
Algorithm 5:BlissVerification Algorithm
Input: Messageµ, public keyA= (a1, q−2)∈ R21q×2, signature (z1,z†2,c)
Output: Accept or Reject the signature 1: if k(z1|2d·z†2)k2> B2 then Reject
2: if k(z1|2d·z†2)k∞> B∞ then Reject
3: Accept iffc=H ζ·a1·z1+ζ·q·c
d+z †
Name of the scheme BLISS-0 BLISS-I BLISS-II BLISS-III BLISS-IV Security Toy (≤60 bits) 128 bits 128 bits 160 bits 192 bits
Optimized for Fun Speed Size Security Security
n 256 512 512 512 512
Modulusq 7681 12289 12289 12289 12289
Secret key densitiesδ1, δ2 .55 , .15 .3 , 0 .3 , 0 .42 , .03 .45, .06
Gaussian standard deviationσ 100 215 107 250 271
α .5 1 .5 .7 .55
κ 12 23 23 30 39
Secret keyNκ-ThresholdC 1.5 1.62 1.62 1.75 1.88
Dropped bitsdinz2 5 10 10 9 8
Verification thresholdsB2, B∞ 2492, 530 12872, 2100 11074, 1563 10206,1760 9901, 1613
Repetition rate 7.4 1.6 7.4 2.8 5.2
Entropy of challengec∈Bn
κ 66 bits 132 bits 132 bits 161 bits 195 bits
Signature size 3.3kb 5.6kb 5kb 6kb 6.5kb
Secret key size 1.5kb 2kb 2kb 3kb 3kb
